<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Uh..., probably it is not so good to publish security issues on a public list.<div class="">The official way is</div><div class=""><a href="https://koha-community.org/security/" class="">https://koha-community.org/security/</a></div><div class="">if I'm not wrong.</div><div class="">sb<br class=""><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 15 Mar 2017, at 16:57, Devinim Koha Development Team <<a href="mailto:kohadevinim@devinim.com.tr" class="">kohadevinim@devinim.com.tr</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta content="text/html; charset=windows-1252" http-equiv="Content-Type" class="">
<div bgcolor="#FFFFFF" text="#000000" class=""><p class="">Hi,</p><p class="">In that case we can reach the user detailed information without
giving a password by curl.</p><p class="">If you want we can share the code how to get this information
without authentication, from this list.<br class="">
</p>
<br class="">
<div class="moz-cite-prefix">On 15-03-2017 18:50, Jonathan Druart
wrote:<br class="">
</div>
<blockquote cite="mid:CAJzKNY4b5eQbScx+ZKZgJzJQog1F+2J-VgAsTsFOeTm9zG=5SQ@mail.gmail.com" type="cite" class="">
<div dir="ltr" class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">Hi,<br class="">
</div>
<br class="">
authnotrequired is set to 1 because <a moz-do-not-send="true" href="http://opac-memberentry.pl/" class="">opac-memberentry.pl</a>
is also used by the self registration feature.<br class="">
</div>
The patron information displayed is based on the logged in
user, not a parameter passed to the script.<br class="">
<br class="">
</div>
Everything looks ok to me.<br class="">
<br class="">
</div>
Regards,<br class="">
</div>
Jonathan<br class="">
<br class="">
<div class="gmail_quote">
<div dir="ltr" class="">On Wed, 15 Mar 2017 at 12:18 Devinim Koha
Development Team <<a moz-do-not-send="true" href="mailto:kohadevinim@devinim.com.tr" class="">kohadevinim@devinim.com.tr</a>>
wrote:<br class="">
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000" class="gmail_msg"><p class="gmail_msg">Hi all,</p><p class="gmail_msg">In the <a moz-do-not-send="true" href="http://opac-memberentry.pl/" class="gmail_msg" target="_blank">opac-memberentry.pl</a>
authnotrequired area is 1 by default, in that case, user
information can be reached without given a user
authentication <br class="gmail_msg">
</p><p class="gmail_msg">and this can lead some
vulnerabilites, do we miss something? We were not able
to understand why it is 1 by default?</p><p class="gmail_msg">Thanks.<br class="gmail_msg">
</p>
</div>
<div bgcolor="#FFFFFF" text="#000000" class="gmail_msg">
<div class=" m_1657876652455208796moz-cite-prefix
gmail_msg">On 14-03-2017 11:33, Chris Cormack wrote:<br class="gmail_msg">
</div>
<blockquote type="cite" class="gmail_msg">Hi, <br class="gmail_msg">
<br class="gmail_msg">
Normally once they are released the release maintainer
shifts them out of security. That one got missed,
shifted now <br class="gmail_msg">
<br class="gmail_msg">
Chris <br class="gmail_msg">
<br class="gmail_msg">
<div class="gmail_quote gmail_msg">On 14 March 2017
9:13:51 PM NZDT, Devinim Koha Development Team <a moz-do-not-send="true" class=" m_1657876652455208796moz-txt-link-rfc2396E
gmail_msg" href="mailto:kohadevinim@devinim.com.tr" target="_blank"><kohadevinim@devinim.com.tr></a>
wrote:
<blockquote class="gmail_quote gmail_msg" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px
solid rgb(204,204,204);padding-left:1ex">
<pre class="gmail_msg m_1657876652455208796k9mail">Hi all,
How can we see the fixes of security bugs?
We've faced with a vulnerability with Bug# 16969 in a new version, but
it's said that it was fixed in 3.22.10.
Thanks.
Devinim Koha Dev. Team
<hr class="gmail_msg">
Koha-devel mailing list
<a moz-do-not-send="true" class="gmail_msg m_1657876652455208796moz-txt-link-abbreviated" href="mailto:Koha-devel@lists.koha-community.org" target="_blank">Koha-devel@lists.koha-community.org</a>
<a moz-do-not-send="true" href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel" class="gmail_msg" target="_blank">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a>
website : <a moz-do-not-send="true" href="http://www.koha-community.org/" class="gmail_msg" target="_blank">http://www.koha-community.org</a>/
git : <a moz-do-not-send="true" href="http://git.koha-community.org/" class="gmail_msg" target="_blank">http://git.koha-community.org</a>/
bugs : <a moz-do-not-send="true" href="http://bugs.koha-community.org/" class="gmail_msg" target="_blank">http://bugs.koha-community.org</a>/
</pre></blockquote></div>
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
</blockquote>
</div>_______________________________________________
Koha-devel mailing list
<a moz-do-not-send="true" href="mailto:Koha-devel@lists.koha-community.org" class="gmail_msg" target="_blank">Koha-devel@lists.koha-community.org</a>
<a moz-do-not-send="true" href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a>
website : <a moz-do-not-send="true" href="http://www.koha-community.org/" rel="noreferrer" class="gmail_msg" target="_blank">http://www.koha-community.org/</a>
git : <a moz-do-not-send="true" href="http://git.koha-community.org/" rel="noreferrer" class="gmail_msg" target="_blank">http://git.koha-community.org/</a>
bugs : <a moz-do-not-send="true" href="http://bugs.koha-community.org/" rel="noreferrer" class="gmail_msg" target="_blank">http://bugs.koha-community.org/</a></blockquote></div></div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="" class="">_______________________________________________
Koha-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Koha-devel@lists.koha-community.org">Koha-devel@lists.koha-community.org</a>
<a class="moz-txt-link-freetext" href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a>
website : <a class="moz-txt-link-freetext" href="http://www.koha-community.org/">http://www.koha-community.org/</a>
git : <a class="moz-txt-link-freetext" href="http://git.koha-community.org/">http://git.koha-community.org/</a>
bugs : <a class="moz-txt-link-freetext" href="http://bugs.koha-community.org/">http://bugs.koha-community.org/</a></pre>
</blockquote>
</div>_______________________________________________<br class="">Koha-devel mailing list<br class=""><a href="mailto:Koha-devel@lists.koha-community.org" class="">Koha-devel@lists.koha-community.org</a><br class="">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel<br class="">website : http://www.koha-community.org/<br class="">git : http://git.koha-community.org/<br class="">bugs : http://bugs.koha-community.org/</div></blockquote></div><br class=""></div></div></body></html>